My problem is When people turn ON their computers, the switch can't assign a VLAN for the port where the computer is connected. It only receive information for that after de user login into their account, But how can the user login into AD if there is no network connection??

If no Vlan is assigned to that computer how can it communicate with AD in order to authenticate the user?

yes, i've wrestled with these considerations before - i would encourage you to consider provisioning vlans based on machine rather than user - after all, it is the machine which is utilizing the vlan, not the user. this is a conceptual point but services to users should be provisioned at a higher level than layer 2 - moving frames in a broadcast domain is up to to the machine, not the user. i'm sure you have good reason to want to segregate user services per vlan - but consider that student behavior on a machine may introduce malware that is then transported into the vlan used by teachers when the next teacher logs in.

machines you build and trust, i'd put it on the vlan that has access to things that are important and need to be protected. machines (such as personal devices) for which you have no control, i'd segregate into a vlan that only give access to the internet and whatever limited internal services that are required. vlans are for security and control, not so much for provisioning services. it's just a broadcast domain mapped onto a layer 3 IP schema which is intended for transport of layer 4 and up.

all that said, most switch configs allow for re-auth timers - after a predetermined timed, authentication times-out and has to be performed again. you don't need to physically admin-down the port just to re-auth. you may be able to use re-auth timers to accomplish what you're trying to do.

6 Replies

the computer does not communicate with AD - the RADIUS server checks AD. it goes something like this - supplicant (computer) -> Authenticator (switch) -> Authentication server (RADIUS NPS server) -> Active Directory (DC server) and then of course then the reverse until the Authenticator receives ACCESS-ACCEPT or REJECT from RADIUS

i see your issue now - yes, i would suggest doing machine authentication, not user authentication. Authenticate by virtue of the machine being a member of the domain which can be done prior to login. hopefully that works for you in terms of how you intend to tie in your dynamic vlan provisioning, i.e., per machine rather than per user. otherwise you'll need a "landing" vlan for the machine and then later flip them into a per-user vlan according to the user credentials they pass.

Yes, you understood the problem.. the only way i see it's exactly how you described, changing to machine authentication, but the problem is that diferent (VLAN TYPES USERS) login on common PC's..

Let's see, on a school you have students and teachers, they go to the library and use the same computers. In order to place them in different Vlans I can't just authenticate by machine otherwise they would need to use the same VLAN.

The only solution I see to this problem is to get a way of place the computer on a network that can talk to Active Directory and the when the user Login is done, the computer is placed on another Vlan.

And i don't think this is possible because when a switch port is authenticated it remains on that Vlan until the port state goes down and an authentication is required again.

yes, i've wrestled with these considerations before - i would encourage you to consider provisioning vlans based on machine rather than user - after all, it is the machine which is utilizing the vlan, not the user. this is a conceptual point but services to users should be provisioned at a higher level than layer 2 - moving frames in a broadcast domain is up to to the machine, not the user. i'm sure you have good reason to want to segregate user services per vlan - but consider that student behavior on a machine may introduce malware that is then transported into the vlan used by teachers when the next teacher logs in.

machines you build and trust, i'd put it on the vlan that has access to things that are important and need to be protected. machines (such as personal devices) for which you have no control, i'd segregate into a vlan that only give access to the internet and whatever limited internal services that are required. vlans are for security and control, not so much for provisioning services. it's just a broadcast domain mapped onto a layer 3 IP schema which is intended for transport of layer 4 and up.

all that said, most switch configs allow for re-auth timers - after a predetermined timed, authentication times-out and has to be performed again. you don't need to physically admin-down the port just to re-auth. you may be able to use re-auth timers to accomplish what you're trying to do.

think of it this way - vlans are like railroad tracks. you might have one set of rails for cargo - another set of rails for passenger trains. but you're not going to have separate sets of rails based on liquid cargo vs. solid cargo or first-class passengers vs economy-coach passengers. definitely different types of railroad cars for liquid vs cargo and first-class vs economy coach - but not separate rails. vlans are really low level - layer 2 just above the 1s and 0s on the wire. everything rides on the rails - user services should be provisioned at higher layers in your system. AD is a high-level user service - it presumes the low-level layer 2 "rails" are already established.

0

This discussion has been inactive for over a year.

You may get a better answer to your question by starting a new discussion.